Hello @ITWhisperer, Thank you for your response.  Can you please help with example of how to write the code? |inputlookup myTable.csv |where _time=relative_time(now(),"-1d@d") Now I need to apply the regular expression on fieldA and store the extracted data from each row in field: res. It would be very helpful if you could help. Thank you

Hi,  I script something by myself and I want to share it with you.   https://github.com/Gotarr/Splunkbase-Download-script  (python-script) My Inspiration is from @tfrederick74656  but his script dosnt work for me very well.   Happy splunking and let me know if something dosnt work.  

@yuanliu  Your suggestion worked for me, but is there a way to put comments with Carriage Return in multiple lines? See below.. Thanks { "visualizations": { "viz_OQMhku6K": { "type": "splunk.ellipse", "_comment": " ================================== This is created by Person1 on 1/1/2023 @companyb On 2/1/2023 - added base search On 2/5/203 - added dropdown box " } },  

But, this regex with SED will replace in all events, i only need them replaced when action=Allowed and Service=23" in raw events. your regex will not satisfy below event. 2023-11-20K00:12:00-05:00 111.111.11.111 time=1700513221|hostname=firewallhost|product=Firewall|action=Denied|ifdir=inbound|ifname=eth3-01|logid=xxxx|loguid={xxxx,xxxx,xxxx,xxxx}|origin=111.111.11.111|originsicname=PK\=originsicname,O\=xpljdkdk..xpl78kdk|sequencenum=00|time=1700513221|version=5|dst=111.11.1.111|dst_country=PL|inspection_information=Geo-location outbound enforcement|inspection_profile=Geo_settings_upgraded_from_FWPRMLP_Internet_v4|protection_type=geo_protection|proto=99|s_port=1234|service=67|src=111.11.1.111|src_country=Other  

It's possible but it's not possible to "add" this to an already done search because at each "pipe point" in the pipeline you lose all the data that's not passed to the next step in the pipeline so you can't "gather" additional data (unless you do some fancy and ineffective things like the map command). So you'd have to first do | tstats not just as a general count but would have to do the additional clause of "BY _time span=1d" to get a separate data point for each day.  With few different user you probably could do timechart then (you could use prestats=t mode of tstats for that case) and do streamstats count resetting on zero count values for given day. Otherwise you'd probably have to use streamstats to find last date for each user that showed the count and then do eval to mark consecutive days and another streamstats to count those consecutive days. Kinda complicated but it's doable.

This is my raw data, I have to calculate the last 3 months executions date month countries Jobs type November AUS Execution October JER Execution September IND Execution August ASI Execution

I want to filter the palo logs at the forwarder level by looking at the packet before indexing( licensing) based certain condition like... zone, firewall name(enterprise) etc The logs comes to both our UF & HF, what is the best way to achieve it. Was looking into a few doc suggesting to apply ingest eval, is that feasible? Can anyone please help me with this.